Pen 1, new

i figured that since the last pen 1 forum had 60+ replys, its time for a new one

im stuck, so far ive found

the secret directrory
logged in as admin
found some php code talking about an admin panel
found exploit on another page (dont want to give it away)

now im trying to find and exploit on the "m3mb3r t0015" page, i think its xss, not sure, any help? even when i enter normal values nothing seems to happen.

Edited by on 27-10-07 00:13

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 26-10-07 10:30

... hmm ... m3mb3r t0015 ... ahh yes

You read the notice?

NOTICE: These values are not posted yet, we have not completed the profiles pages.
They are only viewed by admins at the moment.

What should the admin read? And what may not be check?

Look at the page and think about it, you'll get it.

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-10-07 00:13

ok, i found an exploit, but i guess it wasnt good enough to get any points, i included index.php so it would go on for infinity, and it was stopped by the challenge, guess that one is too easy haha.

i also found another page that says that the admin panel is still being made, i dont know what to do from here, im stuck in the same spot as before.

Edited by on 27-10-07 00:15

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-10-07 00:23

I'm thinking you can in***** a s**** perhaps? Find out whats actually on the site.

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-10-07 00:27

already tried that, i keep getting the you already found this exploit alert

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-10-07 00:41

yeah, I'm trying to find a way to get it in... because I'm sure there's a way!

If only Richo would get on or Sleaz would get off the pot haha. I need to learn a bit about PEAR I think... unless... RELATIVITY!!!

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-10-07 00:49

whatever the problem is i cant figure it out haha, PEAR.....ohhhhh PEAR, i have no idea what that is. google /pear, that what i did, theres a wiki article.

Edited by on 27-10-07 00:52

Author

RE: wtf

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 29-10-07 22:23

altho i have it so im an admin i can see view any more than i could b4...what the poop?

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 29-10-07 22:43

noober wrote:
altho i have it so im an admin i can see view any more than i could b4...what the poop?

It's a simulated environment. And don't use the word "poop" in a serious question; it makes your post suck.

Author

RE: bah

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 29-10-07 22:48

seeing as the site doesnt let you use the word fuck i sub with poop seems far to me

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 29-10-07 23:31

noober wrote:
seeing as the site doesnt let you use the word fuck i sub with poop seems far to me

Well, though that is an accurate statement, it is irrelevant. I think the creators of the challenge meant for the admin login to not have any more privileges to prove:

"Admin credentials are not the answer to everything, and not always easily obtainable."

Sometimes, you have to use exploits that would utilize alternate credentials without the credentials being available. Also, if the admin login did give you any more privilege, then it would've made the challenge easier. Ultimately, that would've made the challenge less effective in teaching viable technique.

Author

RE: indeed

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 30-10-07 00:11

i suppose your right. Just working on using those nooblet credentials somehow

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 30-10-07 00:20

noober wrote:
i suppose your right. Just working on using those nooblet credentials somehow

*cough, cough* Diversion! :ninja:

Author

RE: Pen 1, new

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 30-10-07 01:58

noober wrote:
i suppose your right. Just working on using those nooblet credentials somehow

*cough, cough* Diversion!

yeah...they're not meant to be used at all (unless there's a 6th exploit I haven't found or something)

Now, to your problem on the member tools page, you're on the right track.
How many fields do you have in the form?